Activar la autenticación SSL mutua

¿Qué es la autenticación mutua?

Many people are expecting extra security and Mutual authentication is already supported in Terminal Service Plus. It is usually implemented by banks or government bodies.

Para entender lo que es, podemos compararlo con un proceso estándar de SSL donde agregarás una verificación adicional para confirmar si el navegador web del usuario permite la conexión SSL. Sabes cuál es tu certificado SSL del lado del servidor. Imagina que el certificado se importa en el navegador web para asegurar que este navegador web específico es de confianza para crear una conexión. En el primer paso de la comunicación, el navegador web actúa como un cliente y en el segundo paso, es al revés. Al final, ambos lados, el navegador web del cliente y el servidor web, han aceptado la autoridad y la conexión puede comenzar.

A more complete definition: Mutual SSL authentication or certificate-based mutual authentication refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others’ identity. In technology terms, it refers to a client (web browser or client application) authenticating themselves to a server (website or server application) and that server also authenticating itself to the client through verifying the public key certificate/digital certificate issued by the trusted Certificate Authorities (CAs). Because authentication relies on digital certificates, certification authorities such as Verisign or Microsoft Certificate Server are an important part of the mutual authentication process.

Activarlo en TSplus

TSplus serveur web intégré permet de configurer l'authentification mutuelle.

Para habilitar la autenticación mutua, siga este proceso:

You will have to install the latest Java Development Kit (JDK), available from http://java.com > Téléchargements > JDK.

1. Create and edit with Notepad the following file: C:\Program Files (x86)\TSplus\Clients\webserver\settings.bin

Ajoutez ces 3 lignes :

disable_http_only=true disable_print_polling=true force_mutual_auth_on_https=true

2. Remove cert.jks

In “C:\Program Files (x86)\TSplus\Clients\webserver” you will see the file cert.jks Copy it in “C:\Program Files (x86)\TSplus\Clients” Remove “C:\Program Files (x86)\TSplus\Clients\webserver\cert.jks”

3. Créer le fichier batch

In ‘C:\Program Files (x86)\TSplus\Clients’ create a batch file, for example “createcertuser.bat” with these settings:

@rem uncomment next line, if you want to generate new self signed cert.jks @rem keytool -genkey -v -alias jwts -keyalg RSA -validity 3650 -keystore cert.jks -storepass secret -keypass secret -dname “CN=localhost, OU=my_ou, O=my_org, L=my_city, ST=my_state, C=MY” @keytool -genkey -v -alias AliasUser1 -keyalg RSA -storetype PKCS12 -keystore forBrowserUser1.p12 -dname “CN=some_name, OU=some_ou, O=some_org, L=Paris, ST=FR, C=FR” -storepass mypassword -keypass mypassword @keytool -export -alias AliasUser1 -keystore forBrowserUser1.p12 -storetype PKCS12 -storepass mypassword -rfc -file forCertUser1.cer @keytool -alias AliasCertUser2 -import -v -file forCertUser1.cer -keystore cert.jks -storepass secret @del forCertUser1.cer

Esto importará automáticamente el par de claves del certificado desde el navegador web a "cert.jks" después de crear su par de claves del navegador.

4. Restore the newly created modified “cert.jks”

Copy “C:\Program Files (x86)\TSplus\Clients\cert.jks” into “C:\Program Files (x86)\TSplus\Clients\webserver” and restart the Web Servers.

5. Importación y prueba de certificados

The provided batch example should have generated a test file “BrowserUser1.p12”. When you open the HTTPS address, you will receive a security message and will be unable to access Web Server pages. With Chrome or IE, you can click on this ‘BrowserUser1.p12’ file to import the certificate into the Windows default key store. With FireFox, you need to go to Settings and import this “BrowserUser1.p12” file under your certificate folder.

As soon as you have properly imported it, you will be able to access the HTTPS address.

El administrador puede crear un archivo de par de claves separado para cada usuario.

Por ejemplo:

forBrowserUser1.p12 forBrowserUser2.p12 forBrowserUser3.p12

And he can export these certificates into cert.jks. If he wants to disable access for one user, he will just have to delete this user from “cert.jks”. Doing so, the user will lose his authorization and will not be able to access the web server anymore.

This mutual authentication only affects the HTTPS connections and HTTP connection will be prohibited with the command line: settings.bin>disable_http_only=true